Tip

Go beyond SOX for business continuity

What you will learn from this tip: Achieving SOX compliance does not ensure business resilience or continuity. There are extra steps you should take to make sure that your business is protected.

As business continuity practitioners, we often hear from C-level managers that their organization is "in pretty good shape" from a

Requires Free Membership to View

business continuity or disaster recovery (DR) perspective, having just completed a Sarbanes-Oxley (SOX) compliance effort. After all, auditors evaluate the measures or controls in place to ensure transactional data is available if ever requested by a court of law. Many organizations depend on IT systems to access and store transactional data…in other words, data storage and backups.

The assumption that an organization is capable of business resumption because it has met SOX compliance requirements sometimes leads to a very unpleasant surprise following a major disaster. The SOX act was mostly designed to rebuild the investor community's confidence and protect them from negligent or fraudulent financial reporting by filers. The following are only some of the data storage and backup items not directly considered by auditors when reviewing IT controls (SOX, section 404). However, they are nonetheless essential elements of business continuity management (BCM):

Related information

Managing corporate records for Sarbanes-Oxley

What are some steps to making my storage SOX compliant?

Storage Clips: Infortrend unveils SAS array

 

Recovery time objective (RTO): Data protection alone does not ensure timely recovery. RTO for a given application is not an output of a regulatory compliance audit and data restore performance is not measured.

Recovery strategy: A SOX compliance audit offers little guidance as to whether tape backups, disk-to-disk backups or data replication will best meet your business' and application's specific requirements.

Contingency plan: SOX compliance does not require an organization to have a comprehensive, well-rehearsed and maintained contingency plan(s). In fact, DR and BCP are specifically named as being outside the scope of SOX compliance requirements.

Dependencies and recovery priorities: SOX is not necessarily concerned that a licensing server must first be restored and operational before an application can come up or that the data network must be available for backup data to be restored. The order in which applications are recovered is of no relevance unless it affects specific controls over security, availability or integrity of transactional data.

Lost revenue: SOX is concerned with data being recoverable, but not the time involved. Revenue losses resulting from a lengthy recovery are not directly considered.

Just as regulatory compliance, BCP must become part of a solid risk management program. Compliance alone does not ensure recoverability. From a storage perspective, the choice of technology and performance is not regulated beyond certain data security and integrity aspects; we are responsible for the design of data storage and backup strategies that meet your business' requirements. It is up to you to clearly document the recovery priority and procedures.

In retrospect, we can assume that out of the numerous Gulf Coast businesses that will never reopen after Hurricane Katrina, some may have been SOX compliant.

For more information:

Choosing a compliance archiving tool



About the author: Pierre Dorion is a certified business continuity professional for Mainland Information Systems Inc.

This was first published in November 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.